Hackers Can Mess With Traffic Lights to Jam Roads and Reroute Cars

The hacker in the Italian Job did it spectacularly. So did the fire sale team in Live Free or Die Hard. But can hackers really hijack traffic lights to cause gridlock and redirect cars?

According to one researcher, parts of the vehicle traffic control system installed at major arteries in U.S. cities and the nation’s capital are so poorly secured they can be manipulated to snarl traffic or force cars onto different streets.

The hack doesn’t target the traffic lights directly but rather sensors embedded in streets that feed data to traffic control systems, says Cesar Cerrudo, an Argentinian security researcher with IoActive who examined the systems and plans to present his findings at the upcoming Infiltrate conference in Florida.

The vulnerable controllers–Sensys Networks VDS240 wireless vehicle detection systems–are installed in 40 U.S. cities, including San Francisco, Los Angeles, New York City, Washington, DC, as well as in nine other countries.

The system is comprised of magnetic sensors embedded in roadways that wirelessly feed data about traffic flow to nearby access points and repeaters, which in turn pass the information to traffic signal controllers.

The sensors use a proprietary protocol designed by the vendor — called the Sensys NanoPower Protocol — that operates similar to Zigbee. But the systems lack basic security protections — such as data encryption and authentication — allowing the data to be monitored, or, theoretically, replaced with false information.

Although an attacker can’t control traffic signals directly through the sensors, he might be able to trick control systems into thinking that congested roadways are clear or that open roadways are packed with cars, causing traffic signals to respond accordingly, says Cerrudo.

“By sniffing 802.15.4 wireless traffic on channels used by Sensys Networks devices,” Cerrudo wrote in an advisory he sent to the Department of Homeland Security’s ICS-CERT division last year, “it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”

Sensys Networks’ vice president of engineering, Brian Fuller, told WIRED that the DHS was “happy with the system,” and that he had nothing more to add on the matter.

Cerrudo conducted field tests of Sensys sensors in Seattle, New York, and Washington, DC, to prove that he could easily intercept the unencrypted data. He says it would not be difficult for someone to reverse-engineer the Sensys NanoPower Protocol to design an attack after studying the data.

Cesar Cerrudo in downtown New York City, conducting field test of vulnerable traffic sensors. Photo: Courtesy of Cesar Cerrudo

Because the sensors’ firmware is also not digitally signed and access to them is not restricted to authorized parties, an attacker can alter the firmware or modify the configuration of the sensors. An attacker who just wanted to cause trouble, for example, could reconfigure the embedded street sensors to communicate on different radio channels than the access points, effectively severing the wireless link between them. Cerrudo says it would be very difficult to detect a compromised sensor.

Though hackers would need to be physically near the sensors to pull off the feat, a simple wireless transmitter the size of a USB stick is sufficient to intercept data from 150 feet away. That range could be extended to 1,500 feet using a powerful antenna, making it possible for someone to alter the data from a nearby rooftop or even from a drone flying overhead.

Cerruda tested the latter using a drone to send fake data to a Sensys access point he owns. He was able to send the data from more than 600 feet in the air, but with a stronger antenna he believes he could do it from a mile or more as long as he had line of sight to the access point.

While Cerruda acknowledges that the systems may have manual overrides and secondary controls that could be used to mitigate problems, an attacker could nevertheless create traffic jams and other problems — causing lights to remain red longer than they should or allowing cars at metering lights to enter freeways and bridges faster or slower than optimal — before anyone would notice and respond to the problem.

“These traffic problems could cause real accidents, even deadly ones by cars crashing or by blocking ambulances, fire fighters, or police cars going for an emergency call,” he writes in a blog post.

Sensys Networks has installed its systems in 40 states, according to company documents, and has more than 50,000 sensors operating in 10 countries–including the United Kingdom, China, Canada, Australia, and France. In addition to detecting the presence of traffic at intersections and highway on-ramps, the sensors can be configured to count vehicles, track the movement of vehicles by detecting the same vehicle at different points, or be placed in idle mode to not detect anything at all.

The wireless sensors run on batteries that can last more than a decade and are being installed by cities to replace old-school inductive loops embedded in roadways as well as video-detection systems that are still used on many roadways to track traffic.

Hacking the system requires a few specialized tools. Cerrudo purchased an access point from Sensys Networks — at a cost of about $4,000 — which he placed in a backpack or on his car dashboard to intercept data from sensors in Seattle, New York, and Washington, DC. The access point he purchased is compatible with all of the company’s street sensors worldwide, and is used with a free Windows-based software that the company makes available on its web site. The software allowed him to view the data in an easy-to-read format on his laptop.

Generally, the access points aren’t available to the public and are sold only to city governments, but Cerrudo talked his way into purchasing one by telling the vendor he needed a unit to test on behalf of one of his customers. Although he’s based in Argentina, he had it shipped to an address in Puerto Rico.

A hacker wouldn’t necessarily need an access point to intercept data, however, but could simply intercept it using a wireless transceiver. The data, however, would need to be analyzed, to understand the protocol, and parsed for reading.

“Without the access point and software, you can sniff the wireless data, but it will be difficult to understand what everything means,” he says. “You need the access point to learn how the system works, but after you learn, then you don’t need anymore the access point because you can build your own device.

With knowledge of the protocol, an attacker can “watch” the communication between the sensors and access points, which includes configuration information about the sensors themselves and the unique ID for each sensor. An attacker can use this information to target specific sensors.

Sensys Networks access point (at left), which Cerrudo purchased from the company, and a traffic sensor (at right) which gets embedded in roadways. Photo: Courtesy of Cesar Cerrudo

Although the security problems with the sensors could be easily resolved by encrypting the data in transit and preventing unauthorized users from altering the configuration or firmware, Cerrudo says the company has been unresponsive to the issues.

When Cerrudo reported the issues last July to DHS’s ICS-CERT division, which works with vendors to resolve security problems with control systems, he was told the lack of encryption was intentional on the part of Sensys Networks because the municipal customers buying the systems didn’t want it.

“The option for encrypting the over-the-air information was removed early in the product’s life cycle based on customer feedback,” an unknown Sensys employee explained in a response to ICS-CERT, which ICS-CERT quoted to Cerrudo in an email. “There was nothing broken on the system as we did not intend the over-the-air information to be protected.”

The company added that firmware updates for the sensors are now encrypted with AES — which means that hackers cannot grab the updates en route and analyze them to determine how it works or design updates for the systems.

But Cerrudo says that the firmware updates are only encrypted for new versions of the company’s sensors, while thousands of sensors already in the field are not enabled to handle encrypted firmware updates. The sensors would have to be disinterred from streets and replaced with new ones that support encrypted updates.

“[W]hile there may be a need for code signing/encryption of firmware for older models of the in-ground sensor, newer versions of the hardware have this capability but older versions cannot be updated without replacement (e.g. digging up the roadbed),” ICS-CERT wrote to Cerrudo.

ICS-CERT told Cerrudo that it would not pursue the matter further. “If you can provide details of a vulnerability being exploited in this or the other products, ICS-CERT will revisit the issue at that time,” Matthew Kress-Weitenhagen, a vulnerability coordinator for ICS-CERT, wrote Cerrudo.

The vendor told ICS-CERT that the security problems weren’t an issue because the systems weren’t accessible via the internet and it wasn’t possible to control traffic lights through the sensors and access points, indicating that lights are controlled by other means.

The justifications, Cerrudo says, “are mostly nonsense. It’s like the guys at ICS-CERT don’t understand and buy what the vendor says. But I clearly told CERT that there is no encryption and no authentication and that anyone can take over the sensors.

“[It’s] funny how they get all this information affecting national infrastructure and it ends up without solution,” he says.